<html><head><base href="x-msg://515/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Hi Jun. I tried to answer you on the snort-users list but my email was suppressed I think.&nbsp;</div><div><br></div><div>Answers inline:</div><div>On Oct 29, 2010, at 11:07 PM, Jun Wan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; ">1.) Are ET rulesets suitable for Snort 2.9 ???&nbsp;<br></div></span></blockquote><div><br></div><div>Yes, just a few hours ago we got 2.9 and 2.4 finished and published. Go to <a href="http://rules.emergingthreats.net/">http://rules.emergingthreats.net/</a> and pick your platform and ruleset.&nbsp;</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; ">2.)&nbsp;&nbsp;How can I download ET rulesets automatically similar to oinkmaster usage (with cron)???<br></div></span></blockquote><div><br></div><div>Just like normal, pick the tarball you need and plug that into oink. It'll do the rest.&nbsp;</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; ">&nbsp;<br>I am able to download VRT rules and ET rules for Snort 2.8.6 via Oinkmaster (with cron), please see the following:<br><br>sudo vi /usr/local/etc/oinkmaster.conf<br>&nbsp;<br>.....&nbsp;&nbsp;<br>url =<span class="Apple-converted-space">&nbsp;</span><a href="http://www.snort.org/pub-bin/oinkmaster.cgi/a9393504xxxxxxxxxxxxxxxxxxdb292e/snortrules-snapshot-2860.tar.gz">http://www.snort.org/pub-bin/oinkmaster.cgi/a9393504xxxxxxxxxxxxxxxxxxdb292e/snortrules-snapshot-2860.tar.gz</a><br>url =<span class="Apple-converted-space">&nbsp;</span><a href="http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz">http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz</a><br>&nbsp;<br>.....<br><br>Also I noticed lots of duplicated SIDs during the update process, don't know why/how to fix.<span class="Apple-converted-space">&nbsp;</span><br>&nbsp;<br></div></span></blockquote><div><br></div><div>I'm guessing you're running vrt and the open ruleset, but those both have the old GPL sigs in there, sids 3464 and lower. If you want to use VRT and ET you need to use the ET open-nogpl sigs. Those do not include the gpl snort sigs or the old community sigs.&nbsp;</div><div><br></div><div>That do it for you?</div><div><br></div><div>Matt</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; ">&nbsp;<br>Any information and help would be much appreciated.<br>&nbsp;<br>Thanks.<br>&nbsp;<br>Regards<br>&nbsp;<br>John<br><hr id="stopSpelling">Date: Fri, 29 Oct 2010 16:09:31 -0400<br>From:<span class="Apple-converted-space">&nbsp;</span><a href="mailto:jason.weir@nhrs.org">jason.weir@nhrs.org</a><br>To:<span class="Apple-converted-space">&nbsp;</span><a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>Subject: Re: [Snort-users] URL to download VRT rules<br><br><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010">This is the oinkmaster url I use to get the ET ruleset</span></font></div><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010"></span></font>&nbsp;</div><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010">url=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz<br></span></font></div><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010">No oinkcode needed....&nbsp; I can't answer you on the 2.9 compatibility you might as over on the et list..</span></font></div><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010"></span></font>&nbsp;</div><div><font color="#0000ff" size="2" face="Arial"><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a></font></div><div><font color="#0000ff" size="2" face="Arial"></font>&nbsp;</div><div><span class="ecx028300720-29102010"><font color="#0000ff" size="2" face="Arial">-J</font></span></div><div><font color="#0000ff" size="2" face="Arial"><span class="ecx028300720-29102010">&nbsp;</span></font></div><font color="#0000ff" size="2" face="Arial"></font><blockquote dir="ltr" style="border-left-color: rgb(0, 0, 255); border-left-width: 2px; border-left-style: solid; padding-left: 5px; margin-left: 5px; margin-right: 0px; "><div></div><div dir="ltr" lang="en-us" class="ecxOutlookMessageHeader" align="left"><font size="2" face="Tahoma">-----Original Message-----<br><b>From:</b><span class="Apple-converted-space">&nbsp;</span>Alejandro Cabrera Obed [mailto:aco1967@gmail.com]<span class="Apple-converted-space">&nbsp;</span><br><b>Sent:</b><span class="Apple-converted-space">&nbsp;</span>Friday, October 29, 2010 3:56 PM<br><b>To:</b><span class="Apple-converted-space">&nbsp;</span>Kevin Ross;<span class="Apple-converted-space">&nbsp;</span><a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br><b>Subject:</b><span class="Apple-converted-space">&nbsp;</span>Re: [Snort-users] URL to download VRT rules<br><br></font></div>OK, just two questions:<div><br></div><div>1) Are ET ruleset suitable for Snort 2.9 ??? Because I can't see the download link for this Snort version at&nbsp;<a href="http://rules.emergingthreats.net/" target="_blank">http://rules.emergingthreats.net/</a></div><div><br></div><div>2) How can I download ET ruleset automatically similar to oinkmaster usage (with cron)???</div><div><br></div><div>Thanks a lot<br><div><br></div><div><br><br><div class="ecxgmail_quote">2010/10/28 Kevin Ross<span class="Apple-converted-space">&nbsp;</span><span dir="ltr">&lt;<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>&gt;</span><br><blockquote class="ecxgmail_quote" style="border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid; padding-left: 1ex; ">I think you may also find use in the emergingthreats rules<span class="Apple-converted-space">&nbsp;</span><a href="http://www.emergingthreats.net/" target="_blank">www.emergingthreats.net</a>. Latest rulesets are here:<br><br><a href="http://rules.emergingthreats.net/open-nogpl/snort-2.8.4/emerging.rules.tar.gz" target="_blank">http://rules.emergingthreats.net/open-nogpl/snort-2.8.4/emerging.rules.tar.gz</a><br><br>I would recommend you upgrade though to at least snort 2.8.6.1 so you can make use of the improvements and http_modifiers.<br><br><a href="http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz" target="_blank">http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz</a><br><br>In ET a lot of focus on malware command and control, malware, viruses and current things going on. A worthwhile ruleset to include to detect stuff within your network.<span class="Apple-converted-space">&nbsp;</span><br><br>Regards, Kevin<br><br><div class="ecxgmail_quote"><div><div></div><div class="h5">On 28 October 2010 16:09, Alejandro Cabrera Obed<span class="Apple-converted-space">&nbsp;</span><span dir="ltr">&lt;<a href="mailto:aco1967@gmail.com">aco1967@gmail.com</a>&gt;</span><span class="Apple-converted-space">&nbsp;</span>wrote:<br></div></div><blockquote class="ecxgmail_quote" style="border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid; padding-left: 1ex; "><div><div></div><div class="h5">Dear all, I've registered in<span class="Apple-converted-space">&nbsp;</span><a href="http://snort.org/" target="_blank">snort.org</a><span class="Apple-converted-space">&nbsp;</span>to download the VRT rules....I have Snort 2.8.5.3.<div><br></div><div>I use oinkmaster to download the rules, but what is the new URL I have to use:</div><div><br></div><div><span style="line-height: 16px; font-family: Arial, Helmet, Freesans, sans-serif; color: rgb(85, 85, 85); font-size: 16px; "><ul style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; list-style-type: none; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 16px; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><li style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 16px; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><br></pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; ">This:</pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><a href="http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/a9e009e98b55441d6aeb6983048178df82d721b9" target="_blank" style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 16px; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; ">http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/&lt;</a>oinkcode&gt;</pre></li></ul><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><br>
</pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><br></pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; ">or this:</pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><a href="http://www.snort.org/pub-bin/oinkmaster.cgi/" target="_blank">http://www.snort.org/pub-bin/oinkmaster.cgi/</a>&lt;oinkcode&gt;/snortrules-snapshot-2853.tar.gz
    </pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; "><br>
</pre><pre style="padding-bottom: 0px; border-right-width: 0px; background-color: transparent; padding-left: 0px; padding-right: 0px; font-family: Arial, Helmet, Freesans, sans-serif; border-top-width: 0px; border-bottom-width: 0px; color: rgb(85, 85, 85); font-size: 10pt; vertical-align: baseline; border-left-width: 0px; padding-top: 0px; ">Thanks a lot.</pre></span></div></div></div></blockquote></div></blockquote></div></div></div></blockquote><pre>_____________________________________________________________________________________________

Please visit <a href="http://www.nhrs.org">www.nhrs.org</a> to subscribe to NHRS email announcements and updates.</pre><br>------------------------------------------------------------------------------ Nokia and AT&amp;T present the 2010 Calling All Innovators-North America contest Create new apps &amp; games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store<span class="Apple-converted-space">&nbsp;</span><a href="http://p.sf.net/sfu/nokia-dev2dev">http://p.sf.net/sfu/nokia-dev2dev</a><br>_______________________________________________ Snort-users mailing list<span class="Apple-converted-space">&nbsp;</span><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><span class="Apple-converted-space">&nbsp;</span>Go to this URL to change user options or unsubscribe:<span class="Apple-converted-space">&nbsp;</span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><span class="Apple-converted-space">&nbsp;</span>Snort-users list archive:<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><span class="Apple-converted-space">&nbsp;</span><br>_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards<br><a href="http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html">http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html</a></div></span></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br>----------------------------------------------------<br>Matthew Jonkman</div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><a href="http://Emergingthreats.net">Emergingthreats.net</a><br>Emerging Threats Pro<br>Open Information Security Foundation&nbsp;(OISF)<br>Phone 765-807-8630<br>Fax 312-264-0205<br><a href="http://www.emergingthreatspro.com">http://www.emergingthreatspro.com</a><br>http://www.openinfosecfoundation.org<br>----------------------------------------------------<br><br>PGP:&nbsp;http://www.jonkmans.com/mattjonkman.asc<br><br><br></div></span></div></span></div></span></span>
</div>
<br></body></html>